Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2824
  • Last Modified:

Automatically log user off from Domain after x minutes of inacitivity.

How can I configure a domain account so that the domain user is automatically logged off after x minutes of inactivity? Is it possible to create a group policy for this?

I want to configure and implement this from my server, since we occasionally have a problem with employees with quite high privilages who forget to log out and therefore present a security risk.

Sheldon

0
Sheldonh
Asked:
Sheldonh
  • 8
  • 4
  • 3
  • +3
1 Solution
 
AndyBeamishCommented:
I'm assuming you're running Windows 2000 or better on the servers and workstations...

Can I suggest an ultra-simple solution: put the screen saver on, for example, 5 minutes and tick the box for "On resume, password protect". Whilst this doesn't explicitly log the user out from the network it does lock the machine until a user or admin password is entered.

Going a stage further you can lock down the screen saver options under gpedit. Have a browse to User Configuration / Administrative Templates / Control Panel / Display. Just make sure the users don't do the usual "password-on-a-post-it" !

Actually, I wouldn't recommend automatically logging off users anyway as they're bound to be half way through some vital report just as they break for lunch :)

Regards,

Andy
0
 
Fatal_ExceptionCommented:
You can certainly ensure that your users logoff.  We worked on several of these threads already...  here are the links:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20860048.html

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20878958.html

Good luck..

FE
0
 
naramalaiCommented:
The Automatically log off users when logon time expires, at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, should be re-titled as Automatically disconnect users when logon time expires.

This policy affects the Server Message Block (SMB) component of a Windows 2000 server. When the policy is Enabled, the client sessions with the SMB server are forcibly disconnected when the client's logon hours expires.

STEP:
1) This policy affects all the computers in the domain, unlike Automatically log off users when logon time expires (local), which only affects the computers upon which it is applied.
2) When you configure a user's Logon Hours, they are prevented from logging on during unauthorized times, but they are not disconnected when their time expires?

To forcibly disconnect the user when their time expires, implement one of the following Group Policies:

Automatically log off users when logon time expires at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy affects the SMB component of a Windows 2000 server. When enabled, the policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. This policy effects all the computers in the domain.

Automatically log off users when logon time expires (local) at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy is the Local Computer policy default.

3) When you enforce logon hours restrictions by using to Group Policy to navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and enable Automatically log off users when logon time expires, users whose logon times settings prevent logon at this time are NOT permitted to log on. However, users who are logged on and should be logged off are not?

If this happens in your domain, try the following:

1. Open a CMD prompt.

2. Type:

net accounts /forcelogoff:<minutes> /domain

where <minutes> is the number of minutes after the log on time expires that a user will be forced off. The user will receive a warning message <minutes> before the forced log off.

NOTE : The default setting for the /forcelogoff switch is no. When no is set, forced logoff is prevented. To see the current setting, open a CMD prompt and type net accounts. If this returns:

Force user logoff how long after time expires?: Never

then forced logoff is prevented. I would NOT set <minutes> to 0.

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Fatal_ExceptionCommented:
Just a comment nara...   EE recommends that when you copy something that you give credit to the original site...

For instance:  (if this is where you got that..  it is linked from the threads I posted above..)

http://www.jsiinc.com/subl/tip5500/rh5566.htm
0
 
Jared LukerCommented:
You could try something along these lines:

http://www.jsiinc.com/subh/tip3500/rh3590.htm
0
 
exidsCommented:
Why don't you just setup the screen saver to password protect the system after a certain amount of time?  You can even do it in group policy.  It's so much less complicated.

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdb_cdk_ugxd.asp
0
 
exidsCommented:
Read the first post again
0
 
Fatal_ExceptionCommented:
Yes, but he is asking how to force a logoff....  There are good reasons to do this, other than just security...   Alternatives are always nice to add, but we should first focus on his primary question..

FE
0
 
Fatal_ExceptionCommented:
Why would you copy the same link I provided above..????   :)
0
 
SheldonhAuthor Commented:
Hi all

Thank you all for your replies. A few things to clear up:

First, A lot said that I should use the screensaver password thing. Can't, when computer resumes, then only the administrator or the SAME USER that was logged on when the screensaver came on may resume the session. This is a problem, because it is not always the case that the same user uses the same computer all the time.

Second, A lot was also said about the force logoff of users AFTER LOGON TIME EXPIRES. Well, we don't have set logon times and because we are in a multi-user "per computer" environment, this won't help anyway. If I say that you can only logon before 17:00 everyday and it is after 17:00 and a user is still logged on then will it only automatically log off after the set time period after 17:00. What if the user of a computer walks away for 30 minutes at say, 13:00, then it is still before 17:00 and he won't be logged off automatically.

Now, if user walks away and another user sits in front of that same computer after say 30 minutes, then that computer should already be logged off, so that the other user can log on.

Now I have followed some of the links provided, and I have seen some discussions about

"Automatically log off users" and/or "Amount of idle time required before disconnecting session"

but I can't find the above options. I do however find the "Amount of idle time before suspending network session" option. I have tried to apply this to the domain and it doesn't seem to work. I applied it to the domain under "Domain Security Policy" and under GPO. I haven't seen any result. All the other policy settings that I apply are working, except this one.

Here is a Microsoft help description for "Amount of idle time before suspending network session"

Description
Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.


I understand this as the user's session being suspended, and then later automatically being started again, but for the same user. I don't think this is the same as logging off, I could be wrong.

There is also an option under a USER's Account properties under the "Sessions" tab for "Idle Time", and then underneath that the action to take after the set idle time. But that didn't work either. If it did work, then that would mean I would have to set this option for each and every user, about 200+ times...!

So, I need a GPO setting, that will automatically LOGOFF a user after a set time so that any other user will be able to log onto that same machine. No admin accounts needed etc...

Thanks again
0
 
Fatal_ExceptionCommented:
Did you try this..  Unfortunately it is not a GPO, but it does reflect one way to go about this...

Workstations that are left logged on may represent a security risk for an organization. Many networks allow users to leave programs running and to remain logged on to their computers for an undefined time period. The Microsoft Windows 2000 Resource Kit includes the Winexit.scr tool that you can use to automatically quit a user's programs and to log the user off of the workstation.

How to Configure the Winexit.scr Screen Saver:

Use Windows Explorer to locate the Winexit.scr file in the Windows 2000 Resource Kit folder on your hard disk.
Right-click the Winexit.scr file, and then click Install.
The Display Properties dialog box appears with the Screen Saver tab active. The Logoff Screen Saver entry is automatically selected. Click Settings.
Select the Force application termination check box to force programs to quit.
In the Countdown for n seconds box, type the number of seconds for which the logoff dialog box appears before the user is logged off.
In the Logoff Message box, type the message that appears during the logoff countdown. Click OK.
In the Display Properties dialog box, click Preview.
You see the Auto Logoff dialog box. It displays the logoff message and the countdown timer. Click Cancel.
Click OK.
0
 
Fatal_ExceptionCommented:
0
 
Fatal_ExceptionCommented:
And here is another article that addresses the Winexit method..

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4541
0
 
SheldonhAuthor Commented:
Hi All

Thank you FE for pointing out Winexit.scr to me. I was aware of this feature before, but wanted a better way of implementing this on a domain. I have come to realise that Microsoft actually does not have such a feature. So they released Winexit Screensaver with a Resource Kit. It is still a bit of a hassle to have the screensaver installed on all machines, and then there is also a bug in the screensaver that can be fixed by editing the registry of EACH MACHINE!! Permissions have to be set...

So, I will use this as my solution, seeing that there is nothing else.

Thanks for nothing Microsoft!!!

Cheers

Sheldon grabs the nearest vine and exits Tarzan style...
0
 
Jared LukerCommented:
Sheldon,

If you would like some help in scripting the registry change in your startup/login scripts, just let me know.

Jared
0
 
SheldonhAuthor Commented:
Thanks JL

I will do so...

Cheers
0
 
Fatal_ExceptionCommented:
Yea..  MS should address this..  Perhaps is Service Pack 10..???  :)

But thanks...  and good luck with the deployment..

FE
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now